What drives white-hat hackers?
A recent survey of bug bounty participants found that they don’t hunt bugs for the money, but motivated by the work’s flexible hours and chances to improve their skills.
Security researchers who participate in bug bounty programs are highly coveted recruits for both industry and government agencies. To find out more about them, Bugcrowd, a provider of a crowdsourced security platform for bug bounty, vulnerability disclosure and pen testing programs, conducted a survey of nearly 3,500 security researchers worldwide who use its service.
The survey revealed that more than half live in urban environments and three out of four speak multiple languages. Surprisingly, they don’t hunt bugs for the money, which could be good news for agencies on tight budgets looking to hire more cybersecurity staff.
More than 60% reported pulling down a median annual income of just $25,000 or less, though many also said they only chase bug bounties on a part-time basis. Flexible hours and improved skills were also cited as motivations, as was the chance to solve difficult problems.
According to the survey, higher education is an important feature for many security researchers and their families. They're most likely to have obtained a college degree (49%), have parents who have done the same (36%) and are three times less likely to drop out than their parents. The survey data "suggests most security researchers are degree-qualified because they come from educated families that value the acquisition of worldly knowledge, skills, values, beliefs and habits."
The report predicts that over the next six months, cybercriminals will exploit the widespread shift to remote telework in the wake of the COVID-19 pandemic, increasingly targeting vulnerable infrastructure through expanded reconnaissance activities and asset discovery. That in turn will lead to organizations boosting their reliance on artificial intelligence, although 78% of survey respondents said AI-powered cybersecurity solutions alone aren’t enough to outmaneuver cyberattacks over the next decade
"This gap between automation and human adversarial creativity suggests organizations will increasingly seek to augment their human expertise in securing their assets via crowdsourcing, the most efficient and practical approach to finding available talent," the company said.
A longer version of this article was first posted to FCW, a sibling site to GCN.